Mailinglist Archive: zypp-devel (47 mails)
| < Previous | Next > |
Re: [zypp-devel] "must see" advisories for security updates, distro upgrades, OBS
- From: Stanislav Brabec <sbrabec@xxxxxxx>
- Date: Mon, 11 May 2009 18:26:10 +0200
- Message-id: <1242059170.19787.66.camel@xxxxxxxxxxxxxx>
Jano Kupec wrote:
Not only that.
It is not sufficient. You want to tell user this fact only once, only
and only if the old version was vulnerable and the new is not.
This is different from insnotify(), which is called every time package
is updated.
As nobody is forced to install each update (especially in OBS), you
cannot do it just for a single versions.
It can even happen that one is updating from vulnerable SLES10 to fixed
SLES11. Even then displaying of "must see" advisory is important.
In the best case user should be warned every time package management is
started online (from command line or GUI) until user confirms that
advisory was read and action was taken (or considered not being
affected).
Confirming this message should be even more privileged action than
installing a security update itself - on a typical desktop it's OK to
click OK for update by user, but it's not OK to click "I reformatted all
smart cards" by user.
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747
190 00 Praha 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
Hi, just to summarize, we need notification mechanism for package
updates. All we currently have is the output from rpm (which gets
printed only in zypper, and can be easily overlooked).
Not only that.
Does insnotify()/delnotify() work (where in the .spec file does one set
it)? Can we use it? Bubli said it worked, but was too annoying and
removed from UIs - maybe it wasn't used only for "must see" messages...
It is not sufficient. You want to tell user this fact only once, only
and only if the old version was vulnerable and the new is not.
This is different from insnotify(), which is called every time package
is updated.
As nobody is forced to install each update (especially in OBS), you
cannot do it just for a single versions.
It can even happen that one is updating from vulnerable SLES10 to fixed
SLES11. Even then displaying of "must see" advisory is important.
In the best case user should be warned every time package management is
started online (from command line or GUI) until user confirms that
advisory was read and action was taken (or considered not being
affected).
Confirming this message should be even more privileged action than
installing a security update itself - on a typical desktop it's OK to
click OK for update by user, but it's not OK to click "I reformatted all
smart cards" by user.
--
Best Regards / S pozdravem,
Stanislav Brabec
software developer
---------------------------------------------------------------------
SUSE LINUX, s. r. o. e-mail: sbrabec@xxxxxxx
Lihovarská 1060/12 tel: +420 284 028 966, +49 911 740538747
190 00 Praha 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
| < Previous | Next > |